The European Regulation on Personal Data of 27 April 2016 (GDPR) authorizes, but strictly limits, profiling.
The GDPR defines profiling as “any type of automated processing of personal data consisting of using these personal data to assess certain personal aspects regarding a natural person, in particular, to analyze or predict facts regarding performance at work, and the economic situation, health, personal preferences, interests, reliability, behavior location and movement this natural person”.
Clause 71 indicates that this type of processing must be accompanied by appropriate guaranties, which must include specific information regarding the person in question, as well as the right to obtain a human intervention, to express his/her opinion, to obtain an explanation concerning the decision taken following this type of evaluation and to contest the decision.
The existence of automated decision-making, “including profiling”, must be communicated to the person in question. The data controller must also provide useful information concerning the algorithm’s underlying logic, as well as the importance and the expected consequences of this processing for the person in question.
Article 22 provides for the right of the person in question to obtain a human intervention by the data controller, to express his/her point of view and to contest the decision.
N.B. Profiling is not authorized as regards “sensitive” data.